PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-33808 fastify CVE debrief

A critical authentication bypass vulnerability exists in @fastify/express versions 4.0.4 and earlier. When Fastify router normalization options—specifically `ignoreDuplicateSlashes` or `useSemicolonDelimiter`—are enabled, the Fastify router normalizes incoming URLs to match protected routes, but @fastify/express passes the original un-normalized URL to Express middleware. This causes path-scoped authentication middleware to fail to match the request, resulting in complete bypass. An unauthenticated attacker can exploit this by crafting URLs with duplicate slashes or semicolon delimiters to access protected routes without credentials. The vulnerability was published on April 15, 2026, and the NVD record was last modified on June 1, 2026. The issue is resolved in version 4.0.5.

Vendor
fastify
Product
@fastify/express
CVSS
CRITICAL 9.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-15
Original CVE updated
2026-06-01
Advisory published
2026-04-15
Advisory updated
2026-06-01

Who should care

Organizations running Node.js applications using @fastify/express ≤4.0.4 with Fastify router normalization options enabled, particularly those relying on Express middleware for path-scoped authentication or authorization. Development teams maintaining Fastify-based APIs with Express compatibility layers should prioritize this patch.

Technical summary

The root cause is a URL normalization mismatch between the Fastify router and the @fastify/express plugin. When Fastify's `ignoreDuplicateSlashes` or `useSemicolonDelimiter` options are enabled, Fastify normalizes the request URL before routing (collapsing duplicate slashes or handling semicolons), allowing the request to match a protected route. However, @fastify/express forwards the raw, un-normalized URL to Express middleware. Express path-matching logic does not recognize the malformed URL as matching the protected path pattern, so authentication middleware is skipped. The request then proceeds to the route handler with no authentication enforced. This is a classic bypass arising from inconsistent URL canonicalization between framework layers.

Defensive priority

critical

Recommended defensive actions

  • Upgrade @fastify/express to version 4.0.5 or later immediately.
  • If immediate patching is not feasible, disable `ignoreDuplicateSlashes` and `useSemicolonDelimiter` Fastify router normalization options to eliminate the attack surface.
  • Review access logs for requests containing duplicate slashes (e.g., `//`) or semicolon path delimiters targeting protected routes, particularly from unauthenticated sources.
  • Validate that path-scoped Express authentication middleware is executing for all expected route patterns after upgrade or configuration change.
  • Monitor the Fastify GitHub Security Advisory and OpenJSF CNA pages for any additional guidance or related patches.

Evidence notes

The vulnerability description is sourced from the official NVD record (source_item_475af0f5-fd82-4bb7-9d89-3f891b4dbc0d, nvd_modified). The affected product is identified as fastify:fastify/express with versions prior to 4.0.5 per CPE criteria. CVSS 4.0 vector confirms network attack vector with low attack complexity and no privileges required. The OpenJSF CNA and Fastify GitHub Security Advisory (GHSA-6hw5-45gm-fj88) are cited as vendor advisories with exploit and mitigation tags.

Official resources

public